diff options
| author | Tom Yu <tlyu@mit.edu> | 2010-03-15 23:50:52 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2010-03-15 23:50:52 +0000 |
| commit | ee25bca8b9805a4a3ae805d3166b98fb4b20d6f2 (patch) | |
| tree | 0184deeec0e28fe94693a3fe1a54a53f8dd207b2 | |
| parent | bfbb07dc7832a497d68190161ffd46ec86fcd597 (diff) | |
| download | krb5-ee25bca8b9805a4a3ae805d3166b98fb4b20d6f2.zip krb5-ee25bca8b9805a4a3ae805d3166b98fb4b20d6f2.tar.gz krb5-ee25bca8b9805a4a3ae805d3166b98fb4b20d6f2.tar.bz2 | |
pull up r23766 from trunk
------------------------------------------------------------------------
r23766 | ghudson | 2010-03-05 12:45:46 -0500 (Fri, 05 Mar 2010) | 10 lines
ticket: 6676
subject: Ignore improperly encoded signedpath AD elements
target_version: 1.8.1
tags: pullup
We have some reason to believe Microsoft and Heimdal are both using
the authdata value 142 for different purposes, leading to failures in
verify_ad_signedpath(). For better interoperability, treat such
tickets as unsigned, rather than invalid.
ticket: 6676
version_fixed: 1.8.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23809 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/kdc/kdc_authdata.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 5097558..b5de64d 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context context, enc_sp.length = sp_authdata[0]->length; code = decode_krb5_ad_signedpath(&enc_sp, &sp); - if (code != 0) + if (code != 0) { + /* Treat an invalid signedpath authdata element as a missing one, since + * we believe MS is using the same number for something else. */ + code = 0; goto cleanup; + } code = verify_ad_signedpath_checksum(context, krbtgt, |